Description
The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WPFunnels WordPress plugin is vulnerable to stored cross‑site scripting through the 'wpf_optin_form' shortcode, specifically the 'button_icon' parameter. Because the plugin does not properly sanitize or escape user supplied data, an authenticated attacker with contributor level access can store malicious scripts into a page. When any visitor loads that page, the stored script executes in their browser, potentially allowing the attacker to perform client‑side attacks such as cookie theft, session hijacking, defacement, or redirection.

Affected Systems

This flaw affects WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell, a plugin by getwpfunnels. All released versions up to and including 3.7.9 are impacted. Users of 3.8.0 or later, if available, are not affected.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers need valid contributor‑level credentials to inject the payload; therefore, the attack vector is internal, authenticated. Once injected, the script executes automatically whenever a page containing the 'wpf_optin_form' shortcode is accessed, giving the attacker a broad reach within the site.

Generated by OpenCVE AI on April 4, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPFunnels to the latest version that removes the vulnerability (3.8.0 or later).
  • If an upgrade is not yet possible, delete or replace any pages that use the 'wpf_optin_form' shortcode until a patch is applied.
  • Restrict contributor role access if not needed, or enforce stricter capability limits.
  • Periodically scan content for unexpected scripts and monitor site activity.

Generated by OpenCVE AI on April 4, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels wpfunnels – Funnel Builder For Woocommerce With Checkout & One Click Upsell
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels wpfunnels – Funnel Builder For Woocommerce With Checkout & One Click Upsell
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpf_optin_form' shortcode in all versions up to, and including, 3.7.9 due to insufficient input sanitization and output escaping of the 'button_icon' parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Getwpfunnels Wpfunnels – Funnel Builder For Woocommerce With Checkout & One Click Upsell
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:23.537Z

Reserved: 2026-01-05T21:49:40.411Z

Link: CVE-2026-0626

cve-icon Vulnrichment

Updated: 2026-04-06T16:46:21.509Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T12:16:02.787

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-0626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:50Z

Weaknesses